[go: up one dir, main page]

CN104321777B - Public identifier is generated to verify the personal method for carrying identification object - Google Patents

Public identifier is generated to verify the personal method for carrying identification object Download PDF

Info

Publication number
CN104321777B
CN104321777B CN201380027190.XA CN201380027190A CN104321777B CN 104321777 B CN104321777 B CN 104321777B CN 201380027190 A CN201380027190 A CN 201380027190A CN 104321777 B CN104321777 B CN 104321777B
Authority
CN
China
Prior art keywords
key
code key
server
security component
bio
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201380027190.XA
Other languages
Chinese (zh)
Other versions
CN104321777A (en
Inventor
布鲁诺·本泰奥
菲利普·伯蒂奥克斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maofu Co
Original Assignee
Maofu Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maofu Co filed Critical Maofu Co
Publication of CN104321777A publication Critical patent/CN104321777A/en
Application granted granted Critical
Publication of CN104321777B publication Critical patent/CN104321777B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Public identifier is generated to verify the personal method for carrying identification object, this method includes initial phase the following steps are included: inputting personal initial biological data (Bio);The first code key (Kbio) is generated according to the biological data;Generate be originated from by the object secure group it is mitogenetic at data (P1) the second code key (KHW): generate include first code key and the second code key initial encryption secret-key;The first identifier of individual related with the initial encryption secret-key with server communication;Public identifier is generated by server by using initial encryption secret-key encryption first identifier, the public identifier is relatively stored by server with the initial encryption secret-key.The public identifier is not important, but by the strongly connected protection between the object and the biology character of the individual.

Description

Public identifier is generated to verify the personal method for carrying identification object
Technical field
The present invention relates to generate public identifier by using electronic equipment to verify or identify individual.
Background technique
Note that working as word " verifying or identification " as used herein, "or" is interpreted to embrace "and/or", this sample Invention is equally applicable to both verify and identify, or even be applied to.
The purpose of identification is to know the identity of certain entity, such as using can be user name or network identifier (such as phone Number) identifier.Verifying allows to verify the identity of certain entity to allow to access service or resource.
Verifying is identified usually using server, is stored thereon with and is related to the data of entity.These entities are previously to have undergone It is registered to the individual of the server step, (provides and drives to be issued certain rights when being verified or identify when them License, ticket or remuneration, the access authority in certain region, the access authority of certain service, the use of certain service, electronic payment Deng).
Be conventionally used for registration it is personal to the data of server be private data, usually alphanumeric, such as password, individual Address (such as IP address), identity card, and/or other data of the electronic equipment used.
In order to sufficiently identify and make to verify or identify the success rate with acceptable value, the data used are from individual's It may be considerably complicated from the point of view of viewpoint.For example, the character that password includes is more, identification is more reliable, but it is close to keep this firmly in mind for individual It is become increasingly difficult for code.
In addition, the concept of mark becomes universal and daily, especially in a mobile environment in digital environment.For example, certain is logical Letter object such as smart card, smart phone, digital flat panel etc. is used as identifying medium.Then, this object needs can with safety The mode leaned on can be used by its holder, while retain ergonomics for using.
Biological data can be used in combination to ensure to carry the personal uniqueness of the object with communication object.For example, raw Object passport is exactly this safety identification object.
When biological data with identification Object associates in use, the anonymity of holder must be protected.In order to realize this Point, registrar only may include the weak rigidity between holder's biological data and his or her identity;It can be see, for example text 2867881 A of part FR.Similarly, biological data is only storable in the object of holder and does not share with database.From knowledge Biological data is read in other object and is limited by between the safety element (such as electronic chip) of the object and remote server passes through A component (such as being controlled according to EAC agreement or extended access) of the object is mutually authenticated, and permission (is held with local mode Data in the object of person) and/or verified with information and the remote mode of a server share.
This program is designed to verify personal official country identity, it is difficult to be generalized to and still need to verifying personal day Often application.
Biology is promoted the use of however, existing to verify the holder of identified media and protect his or her number to identify simultaneously With the demand of right.
Summary of the invention
Present invention address that this demand.
Therefore, the present invention provides a kind of is carried with verifying including at least one security component for generating public identifier Identify the personal method of object, the method includes the initial stages, include the following steps:
Capture personal initial biological data;
The first code key is generated according to the biological data;
Data are generated by the security component of the object;
Generate the second code key of the data generated derived from the security component of the object;
Generate the initial encryption secret-key including first code key and the second code key;
The first identifier of individual relevant with initial encryption secret-key to a server communication;
One public identifier is generated by using initial encryption secret-key encryption first identifier by the server,
The public identifier is relatively stored by server with the initial encryption secret-key.
The first aspect of the present invention includes the initial stage.The purpose of this initial stage is by the personal knowledge selected with him or she The clothes of public identifier will be issued to other object --- mobile phone, card, tablet computer or some other objects --- by being registered in together It is engaged on device.The public identifier issued at the end of registration phase by server is not important, it means that in any case not Allow directly to retrieve the citizenship data of holder, although it is carried out by the strong association between the object and the biological characteristic of individual Building.Identification object cannot use in an efficient way in the case where its legitimate holder is absent from the scene.
According to some embodiments, the initial stage according to the method for the present invention can further comprise one or more of following characteristics It is a:
The data generated by the security component of the object can be for by the uncertain number of the security component of object generation Value (PUF, physical unclonable feature) or the random number being stored in after generation in the security component of the object.
First key is obtained by application signature and/or encryption function, to quote the numerical data for being derived from biological data.Institute Stating the first code key can generate in the security component of the identification object or in third safety element.
Second code key generates in the security component of identification object.
Initial encryption secret-key is generated by the security component of identification object, is then transmit to server, or can be by the service Device generates.
It is applied according to one, code key export can be introduced for initial encryption secret-key.For example, server can be public in generation Exporting code key or the first or second code key before mark from initial encryption secret-key can be received by introducing from the server Code key export generate.Allow creation to be exclusively used in each service for encryption code key introducing code key export when creating public identifier to mention The public identifier of donor.Derived each number mark can be related to the audit function for the service for being exclusively used in being related to by this method.
According to one embodiment, multiple derived public identifiers can be generated, and with it is respective derived from initial encryption secret-key It is stored relatively on the server or on multiple servers.
Public identifier also can be transmitted and be stored in identification object, to be subsequently used as when the service for requesting access to server When identifier.
It according to the method for the present invention further include verification stage to verify the personal identity for carrying the identification object.This is verified Stage the following steps are included:
Capture personal current biometric data;
Current data is generated by the security component of the object;
It is secret that current crypto is generated according to current biometric data and according to the current data of the security component generation by the object Key;
Compare the current crypto code key and initial encryption secret-key;
If comparison result is positive, the identity for carrying the individual of the identification object is effective;
If comparison result is negative, the identity for carrying the individual of the identification object is invalid.
According to executive mode, this may relatively be executed in the security component of identification object and/or at server.
The second aspect of the present invention includes verifying the verification stage for the personal identity for carrying the identification object.Use this hair Bright method, individual prove that he or she has used institute to the individual with access without providing his or her official country identity Select the right of the service of object registration.In the initial stage, the public identifier of building can be by providing the object and object holder Biological characteristic is simply confirmed.In this context, the use of biological characteristic protects personal anonymity.
The invention further relates to the security components including a kind of electronic equipment, for the step of executing according to the method for the present invention. This equipment can further comprise the device for obtaining biological data.According to one embodiment, it is more which may have access to storage The memory of a derived public identifier.Same electronic equipment is then used as access to each other without any associated completely only The identifier of vertical service.
The invention further relates to the systems of the holder for verifying identification object, and the system comprises electricity according to the present invention Sub- equipment and include at least one authentication server at least one public identifier of initial encryption secret-key associated storage.Root According to one embodiment, which includes multiple authentication servers, and each authentication server includes and derived initial encryption secret-key At least one public identifier being stored relatively.
Detailed description of the invention
Pass through the description hereafter to certain non-limiting exemplary embodiments and refers to following attached drawings, other features of the invention It will be apparent with advantage:
Fig. 1 shows the flow chart of the exemplary initial stage when executing according to the method for the present invention;
Fig. 2 shows the figures for the exemplary initial stage realized according to one embodiment of present invention;
Fig. 3 is shown when executing according to the method for the present invention, the example of the identification object used;
Fig. 4 is shown when executing according to the method for the present invention, another example of the identification object used;
Fig. 5 show can check practice stage according to one embodiment of present invention exemplary diagram.
Specific embodiment
The first aspect of the present invention includes the initial stage.The purpose of this initial stage is by the identification pair with personal choice As that is, mobile phone, card, tablet computer or other objects, relevant individual are registered to server, to allow then to be based on to be somebody's turn to do The presentation of object (provides driving license, bill or remuneration, the access authority in certain region, clothes to provide certain rights to the individual The access authority of business, the use, the electronic payment that service etc.).
The identification object can be smart card, mobile phone or some other portable at least one security component Object.The medium that the identification object can be used as promotional card, access the member card, insurance card or official country identity that service.
The initial stage is shown in FIG. 1.
Input personal initial biological data Bio.These initial biological datas Bio can for digital finger-print, iris image or The picture parts of the other identifier of person's face, ear or this human body for example tatoo, scar etc..These personal first eozoons Data Bio is digitized, and processed to create the digitized reference data derived from the initial biological data.Only from initial raw Digitized reference data derived from object data is stored in the security component of the object.Initial biological data Bio is without storage In the identification object.If the identification object is lost or is stolen, the misuse of personal biological data will not occur.
This initial biological data Bio be used to generate the first code key Kbio.This first code key KbioCan by application signature and/ Or the encryption function extremely numerical data derived from the biological data obtains.
Signed data P1 is generated by the security component of the object.These data P1 is uncertain and depends entirely on The electronics of the security component of the object;It is not stored in the memory of the identification object but pacifies being used as the electronics every time It is generated when the signature of whole assembly.Such data P1 is referred to alternatively as the abbreviation PUF (physical of " physical unclonable feature " unclonable feature);It includes a series of uncertain binary values not being available outside the object.It may be selected Ground, the signed data P1 generated by the security component of the object can also be to be stored in the security component of the object after generation Random number.
This signed data P1 of the security component of the object be used to generate the second code key KHW;Such as the safety by the object The value of random number or PUF that component generates can directly or be after encryption used to form a code key.
Then it can determine initial encryption secret-key Kcom.This initial encryption secret-key merges the first and second code key KbioAnd KHW, example Another algorithm is such as encrypted by using one in first or second code key.
Then, this initial encryption secret-key KcomIt is used for authentication server, to register the individual to the server, in this way The verification of the authenticity of his or she presentation and object holder couple in subsequent verification process based on the object can be sent out Put certain rights.
The registration step is it is shown in fig. 2, it shows identification object 10 and authentication server 30.
As described in Figure 1, initial encryption secret-key K has been generated by the identification object 10 of personal choicecom.This initially adds Close code key KcomIt is communicated with the server 30 for the first identifier Id1 for being associated with the individual.This first identifier Id1 of the individual can be His official country identity or the login ID (logging on to facebook, online retailer etc.) by being used for special services to personal choice.
Then, server 30 uses initial encryption secret-key KcomIt encrypts first identifier Id1 and generates public identifier Id2, such as is logical Cross the public key ciphering process (" Public Key Infrastructure " of being abbreviated as PKI) of standard.
Then, public identifier Id2 and initial encryption secret-key KcomBe stored relatively on server 30 with allow subsequently for Personal verifying.Public identifier Id2 can also be sent to identification object 10 to store.This public identifier Id2 is without safely depositing Storage, because it is not important, as described above.However, initial encryption secret-key KcomIt is storable in the security component of object 10 It is used during for being referred to as " matching on card " for being abbreviated as MOC later.
Fig. 3 and Fig. 4 shows the example that can be used as the identification object of a part of the invention.For example, the identification object 10 can It is the mobile phone (Fig. 3) for including the security component 11 provided in SIM card or other any embedded-type security components.Phone 10 It may include capturing the device and/or fingerprint reader 13 of image 12 and/or sound, or any other are used to capture biological data Device.Phone 10 further includes for the device 14 with cellular network communication;It may also include for local area network (Wifi or indigo plant Tooth) communication device or be used for near-field communication (NFC) device.Therefore, phone 10 can be communicated with authentication server, so that energy Enough access the right or service requested after having verified his or her identity by holder.
According to another example, identify that object 10 can be smart card (Fig. 4), which includes being located at chip form in the card Security component 11.Card 10 may include digital finger-print degree reader 13 or other any devices for capturing biological data.Card 10 pass through card 10 in contact mode and/or by non-contact communication device such as near-field communication (NFC) by reader appropriate In antenna 13 from chip 11 read data.This allow card 10 for example with terminal or telephone communication, with initialize to by holder The access of the right or service requested after identification check.It is held according to identical process described in phone is directed to reference Fig. 3 It exercises and uses 10 pairs of personal identification checks of smart card.
Depending on embodiment, above-mentioned Various Components can be differently distributed between identification object 10 and authentication server 30.
According to the first possible embodiment, the first code key Kbio, the second code key KHWAnd initial encryption secret-key KcomIn the object Security component in generate, and only initial encryption secret-key is transferred to server 30 (as shown in Figure 2).
For example, biological data Bio can be identified object 10 input itself by personal use, such as when the identification object is reference When the mobile phone of outfit camera or fingerprint reader Fig. 3 as described below.First code key KbioSo as to by identification object 10 Body generates, by applying storage in the algorithm in the security component of the object to the biological data of capture, such as in patent FR-A- Described in 2925732 creation stablize digital signature algorithm, then for applicating example such as hash function encryption function. From the security component that digitized reference data is also storable in the object derived from the biological data of capture, may then exist It is used during MOC.
Alternatively, can by reader appropriate input biological data Bio, it send it to identification object 10 with Generate the first code key Kbio.Biological data Bio can be directly transferred to identification object 10, if such as should by near-field communication NFC Object has the function of this, if having the function of this by honeycomb or the wireless communication object;Then object 10 itself calculates The digitized reference data derived from biological data.Alternatively, digitized reference data can caught derived from biological data Bio It obtains and identification object 10 is calculated and be then directly transferred in device, pass through near-field communication NFC or honeycomb or wireless communication.
Second code key KHWIt is generated in the security component of object 10, this is because data P1 passes through the security component of the object It generates and cannot be to transmitting outside the object 10.
If the first code key KbioWith the second code key KHWIt is generated in the security component of the object 10, it is secret for initial encryption Key KcomIt is advantageously also generated in the security component of object 10 to limit the exchange of sensitive data.
According to another possible embodiment, initial encryption secret-key KcomIt can be directly by receiving first and second in a secure manner Code key (KbioAnd KHW) server 30 generate.
For example, biological data Bio can be mounted on the network on PC by reader appropriate such as fingerprint reader or for example Camera capture.Then the first code key KbioIt can be generated by the third safety element for having collected safe biologic data Bio, or by taking Business device 30 generates, if biological data Bio or the digitized reference data derived from biological data are sent to it.
Although not being available outside the object 10 by the data P1 that the security component of the object generates, in the object 10 Security component in the second code key K for generatingHWIt can be transmitted to outside the object.
When needed, if initial encryption secret-key KcomIt is generated by server 30, it can be transmitted to identification object 10 and deposits Storage during subsequent MOC thereon to use.
No matter initial encryption secret-key KcomIt is to be generated by server 30, or generation is formed simultaneously by the safety of the object 10 It is then sent to the server, initial encryption secret-key KcomPublic affairs are created using to pass through encryption first identifier Id1 by the server Id2 is identified altogether.
Server 30 can be initial encryption secret-key K before generating public identifier Id2comIntroduce code key export.When creation is public When identifying Id2 altogether, introducing the export of this code key for encryption code key allows to create the public identifier for the server for being exclusively used in creating it. Specifically, multiple derived public identifier Id2n can be formed and stored on one or more servers.It is each derived public Mark Id2n is stored relatively with respective derived initial encryption secret-key altogether.Derived each number mark can be with clothes by this method The specific rights correlation being engaged on device for special services.
For example, personal want to use identical identification object, different services are registered on multiple servers.In order to provide specially Audit function-for involved service includes that refusal or security level-are preferably public identifier Id2 and service simultaneously for all It is not identical.Therefore the export code key of service from supplier is introduced into during generating public identifier Id2.
Depending on embodiment, it to be used for initial encryption secret-key KcomCode key export can directly by server 30 generate it is public It is introduced before identifying Id2, no matter encrypts code key KcomIt is generated by server or is generated by the security component of the object, and then When it generates initial encryption secret-key KcomWhen receive from server code key export.Alternatively, the first code key can generated KbioOr the second code key KHWDuring introduce the export, if by server itself it generated as described above first Code key Kbio, or by the security component of the object, then receive the code key export from server.
Once his or her identity is checked, identical identification object can then be accessed different clothes by personal use Business.
The verification stage is shown in Fig. 5.
Individual desires access to his or she the registered specified services at specified public identifier Id2n.
By generating general encryption code key Kcom' realize the verification of personal identification, according to same procedure described in reference diagram 1, Use the current biometric data Bio ' and current data P1 ' generated by identification object 10- card, phone etc.-.If initial generating Encrypt code key KcomDuring introduce code key export, it is identical export by an identical manner generate current crypto code key Kcom' during introduce.
Possible, the numerical data from current biometric data Bio ' passes through inside the comparison in the object itself carries out Confirmation, uses MOC process.In current crypto code key Kcom' and initial encryption secret-key KcomBetween comparison can inside the object, And by MOC process, and transmitting the current crypto code key Kcom', or proof of identification is provided to server or terminal, to obtain It takes and is completed before the right or service of request.
In the case where no MOC process, or as supplement, server 30n receives general encryption code key Kcom' simultaneously Compare it and initial encryption secret-key Kcom.If comparison result is positive, personal identity is effective and assigns the right of request;It is no Then personal identity is invalid, and the right requested is rejected.The use of derived common identity Id2n limits refusal service Ability, even if when the identical mark object of personal use.
Then the same mark object can be created the secure communication with remote server by personal use, which can It, may be in addition to (money being stored in silver other than the information standard exchange in existing infrastructure as GUI, keyboard and modem Row, risk management, health care etc.).
This identification can be rejected in virtual trading using to control fraud and prevent from trading, this is because using the knowledge The personal identification check of other object is based on biological data.
Data-Bio, Kcom, Id2 or their export value-transmission can be it is direct or by one or more Between equipment, such as such case on a communication network occurs for transmission.The data of transmission can be arbitrary format.Advantageously, these are passed Defeated is safe.Thus, it may be considered that for any appropriate process of safe transmission, such as use HTTPS, SSL/TLS or one A little others agreements.Individual server 30 can be used or multiple entities can provide respective function;One this entity can Be dedicated to calculating or store relevant to the biological value used data, and another entity can be dedicated to the storage of number mark with Compare.
Advantageously, personal private data can be transmitted to server 30 with the identical configuration for first identifier Id1. These private datas may include possibly serving for any data of a part verified or verified.As explanation, under they may include State at least one: password, the numeric address for identifying object, mark or some other data.In this case, it is related to individual Various data relatively by or store for server 30.Therefore, each data relevant to digital identity can be used for independent function Can or it service (Local or Remote).
Be notably, although explanation above used only captured during the initial stage initial biological data this One assumes to be described, but it is suitable for, if generating the first code key KbioDuring additional biological data quilt The case where capture and merging.
What other mechanism and other frameworks were certainly possible to, this is it will be apparent to those skilled in the art that especially The distribution different from those of shown in Fig. 2 and 5.
Some or all of above-mentioned operation can be referred to by one or more appropriate codes including being adapted for carrying out the method for the present invention The computer program of order is realized.This computer program can be loaded into and execute on the security component of communication identification object.

Claims (18)

1. one kind is verified for generating public identifier carries the identification object (10) including at least one security component (11) Personal method, the method includes the initial stage, which includes the following steps:
Capture personal initial biological data (Bio);
The first code key (K is generated according to the biological data by application signature and/or encryption functionbio);First code key (Kbio) In It is generated in the security component (11) of the identification object;
The second code key (K is generated by the data (P1) that the security component of the object generatesHW);Second code key (KHW) in identification pair It is generated in the security component (11) of elephant;
The algorithm that another is encrypted by using one in first code key or second code key is generated described in merging First code key (Kbio) and the second code key (KHW) initial encryption secret-key (Kcom);
By initial encryption secret-key (Kcom) first identifier (Id1) of relevant individual is communicated to server (30);
By the server by using initial encryption secret-key (Kcom) encryption first identifier (Id1) generation public identifier (Id2), In the server before generating public identifier for initial encryption secret-key introduce code key export,
The public identifier (Id2) and the initial encryption secret-key (Kcom) relatively stored by server;Initial encryption secret-key (Kcom) generated by the security component (11) of identification object (10), it is then transmit to server (30).
2. the method according to claim 1, wherein by the object security component generate data (P1) be by The uncertain numerical value (PUF) that the security component of the object generates.
3. the method according to claim 1, wherein by the object security component generate data (P1) be The random number being stored in after generation in the security component of the object.
4. method according to claim 1, which is characterized in that obtain the first code key by application signature and/or encryption function (Kbio), to quote the numerical data for being derived from biological data.
5. method according to claim 1, which is characterized in that the first code key (Kbio) generated in third safety element.
6. method according to claim 1, which is characterized in that initial encryption secret-key (Kcom) generated by server (30).
7. method according to claim 1, the first code key (Kbio) by introducing from the received code key export life of server (30) At.
8. method according to claim 1, which is characterized in that the second code key (KHW) received from server (30) by introducing Code key export generates.
9. method according to claim 1, which is characterized in that generate multiple derived public identifier (Id2n), and with each self-conductance Initial encryption secret-key (K outcom) be stored relatively on server (30) or multiple servers (30n) on.
10. method according to claim 1, which is characterized in that one or more public identifiers (Id2) are also transmitted and stored In identification object (10).
11. the method according to claim 1 further comprises verification stage to verify the individual for carrying the identification object Identity, the verification stage the following steps are included:
Capture personal current biometric data (Bio ');
Current data (P1 ') is generated by the security component (11) of the object;
According to current biometric data (Bio ') and current data (the P1 ') life generated according to the security component (11) by the object At current crypto code key (K ' com);
The current crypto code key (K ' com) and initial encryption secret-key (Kcom);
If comparison result is positive, the identity for carrying the individual of the identification object is effective;
If comparison result is negative, the identity for carrying the individual of the identification object is invalid.
12. the method according to claim 11, which is characterized in that this compares the security component (11) in identification object (10) Middle execution.
13. the method according to claim 11, which is characterized in that this compares executes at server (30).
14. a kind of electronic equipment (10), which is characterized in that include the steps that the peace for being adapted for carrying out the method according to claim 1 Whole assembly (11).
It further comprise the device for obtaining biological data (Bio, Bio ') 15. the electronic equipment according to claim 14.
16. the electronic equipment according to claim 14, which is characterized in that security component (11) access stores multiple public marks Know (Id2n) memory.
17. the system for the holder for verifying identification object, the system comprises:
Electronic equipment (10) according to claim 14;
At least one authentication server (30), including with initial encryption secret-key (Kcom) associated storage at least one public identifier (Id2)。
18. the system according to claim 17, including multiple authentication servers (30n), each authentication server includes at least One derived public identifier (Id2n)。
CN201380027190.XA 2012-03-19 2013-03-18 Public identifier is generated to verify the personal method for carrying identification object Expired - Fee Related CN104321777B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR1252444 2012-03-19
FR1252444A FR2988196B1 (en) 2012-03-19 2012-03-19 METHOD FOR AUTHENTICATING AN INDIVIDUAL BEARING AN IDENTIFICATION OBJECT
PCT/FR2013/050575 WO2013140079A1 (en) 2012-03-19 2013-03-18 Method for generating public identity for authenticating an individual carrying an identification object

Publications (2)

Publication Number Publication Date
CN104321777A CN104321777A (en) 2015-01-28
CN104321777B true CN104321777B (en) 2019-11-22

Family

ID=46754535

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201380027190.XA Expired - Fee Related CN104321777B (en) 2012-03-19 2013-03-18 Public identifier is generated to verify the personal method for carrying identification object

Country Status (7)

Country Link
US (1) US10007773B2 (en)
EP (1) EP2828788A1 (en)
CN (1) CN104321777B (en)
BR (1) BR112014023361A2 (en)
FR (1) FR2988196B1 (en)
RU (1) RU2621625C2 (en)
WO (1) WO2013140079A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102013203436A1 (en) * 2013-02-28 2014-08-28 Siemens Aktiengesellschaft Generate a key to provide permission information
CN104899496B (en) * 2014-09-26 2020-01-31 腾讯科技(深圳)有限公司 data reading method and terminal thereof
US9621342B2 (en) * 2015-04-06 2017-04-11 Qualcomm Incorporated System and method for hierarchical cryptographic key generation using biometric data
SG10202006900PA (en) 2015-12-22 2020-08-28 Financial & Risk Organisation Ltd Methods and systems for identity creation, verification and management
US10097348B2 (en) * 2016-03-24 2018-10-09 Samsung Electronics Co., Ltd. Device bound encrypted data
CH712399A2 (en) * 2016-04-27 2017-10-31 Bron Christophe Biometric identification system based on venous networks and unique and non-falsifiable encodings of tree structures and associated method.
KR101806390B1 (en) * 2016-05-31 2017-12-07 주식회사지니 Card payment system and method for using body information
WO2019022658A1 (en) * 2017-07-27 2019-01-31 Fingerprint Cards Ab Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
US11165772B2 (en) * 2017-09-13 2021-11-02 Fingerprint Cards Ab Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
CN110574030B (en) * 2018-02-13 2021-05-11 指纹卡有限公司 Update biometric template protection key
EP3867785A1 (en) * 2018-10-17 2021-08-25 Nokia Solutions and Networks Oy Secure cryptoprocessor
US12072963B2 (en) * 2019-09-25 2024-08-27 Amod Ashok Dange System and method for affixing a signature using biometric authentication
US12026247B2 (en) 2019-09-25 2024-07-02 Amod Ashok Dange System and method for enabling a user to create an account on an application or login into the application without having the user reveal their identity
US12079367B2 (en) * 2019-09-25 2024-09-03 Amod Ashok Dange System and method for enabling social network users to grant their connections granular visibility into their personal data without granting the same visibility to the network operator
US12028347B2 (en) * 2019-09-25 2024-07-02 Amod Ashok Dange System and method for enabling a user to obtain authenticated access to an application using a biometric combination lock
WO2022196150A1 (en) * 2021-03-18 2022-09-22 株式会社 東芝 Remote issuing system and data-generating server
EP4369652A1 (en) * 2022-11-08 2024-05-15 Electronics and Telecommunications Research Institute Cold wallet apparatus and method of controlling the same

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6463533B1 (en) * 1999-04-15 2002-10-08 Webtv Networks, Inc. System for generating site-specific user aliases in a computer network
CN102388386A (en) * 2009-04-10 2012-03-21 皇家飞利浦电子股份有限公司 Device and user authentication

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123113A1 (en) * 2002-12-18 2004-06-24 Svein Mathiassen Portable or embedded access and input devices and methods for giving access to access limited devices, apparatuses, appliances, systems or networks
FR2867881B1 (en) 2004-03-17 2006-06-30 Sagem METHOD FOR CONTROLLING IDENTIFICATION OF PERSONS AND SYSTEM FOR IMPLEMENTING THE METHOD
US7805614B2 (en) * 2004-04-26 2010-09-28 Northrop Grumman Corporation Secure local or remote biometric(s) identity and privilege (BIOTOKEN)
US8171531B2 (en) * 2005-11-16 2012-05-01 Broadcom Corporation Universal authentication token
EP1811421A1 (en) * 2005-12-29 2007-07-25 AXSionics AG Security token and method for authentication of a user with the security token
US8245052B2 (en) * 2006-02-22 2012-08-14 Digitalpersona, Inc. Method and apparatus for a token
US20110002461A1 (en) * 2007-05-11 2011-01-06 Validity Sensors, Inc. Method and System for Electronically Securing an Electronic Biometric Device Using Physically Unclonable Functions
JP5028194B2 (en) * 2007-09-06 2012-09-19 株式会社日立製作所 Authentication server, client terminal, biometric authentication system, method and program
FR2925732B1 (en) 2007-12-21 2010-02-12 Sagem Securite GENERATION AND USE OF A BIOMETRIC KEY
US20090307140A1 (en) * 2008-06-06 2009-12-10 Upendra Mardikar Mobile device over-the-air (ota) registration and point-of-sale (pos) payment
EP2329423B1 (en) * 2008-09-26 2018-07-18 Koninklijke Philips N.V. Authenticating a device and a user
US20120066497A1 (en) * 2009-05-20 2012-03-15 Koninklijke Philips Electronics N.V. Method and device for enabling portable user reputation
EP2323308B1 (en) * 2009-11-12 2016-03-23 Morpho Cards GmbH A method of assigning a secret to a security token, a method of operating a security token, storage medium and security token
US8667265B1 (en) * 2010-07-28 2014-03-04 Sandia Corporation Hardware device binding and mutual authentication
US8868923B1 (en) * 2010-07-28 2014-10-21 Sandia Corporation Multi-factor authentication
US8516269B1 (en) * 2010-07-28 2013-08-20 Sandia Corporation Hardware device to physical structure binding and authentication
JP2014523192A (en) * 2011-07-07 2014-09-08 ベラヨ インク Security by encryption using fuzzy authentication information in device and server communication
US20140237256A1 (en) * 2013-02-17 2014-08-21 Mourad Ben Ayed Method for securing data using a disposable private key

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6463533B1 (en) * 1999-04-15 2002-10-08 Webtv Networks, Inc. System for generating site-specific user aliases in a computer network
CN102388386A (en) * 2009-04-10 2012-03-21 皇家飞利浦电子股份有限公司 Device and user authentication

Also Published As

Publication number Publication date
EP2828788A1 (en) 2015-01-28
FR2988196B1 (en) 2014-03-28
RU2621625C2 (en) 2017-06-06
US10007773B2 (en) 2018-06-26
RU2014142045A (en) 2016-05-10
CN104321777A (en) 2015-01-28
WO2013140079A1 (en) 2013-09-26
US20150046699A1 (en) 2015-02-12
BR112014023361A2 (en) 2020-10-27
FR2988196A1 (en) 2013-09-20

Similar Documents

Publication Publication Date Title
CN104321777B (en) Public identifier is generated to verify the personal method for carrying identification object
US11824991B2 (en) Securing transactions with a blockchain network
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
EP3257194B1 (en) Systems and methods for securely managing biometric data
EP2648163B1 (en) A personalized biometric identification and non-repudiation system
Mishra et al. Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce
US9614845B2 (en) Anonymous authentication and remote wireless token access
JP4664644B2 (en) Biometric authentication device and terminal
JP2009510644A (en) Method and configuration for secure authentication
US20130219481A1 (en) Cyberspace Trusted Identity (CTI) Module
JP2012003648A (en) Method for registering biometric information in biometric authentication system, method for use application of template, and authentication method
WO2014141263A1 (en) Asymmetric otp authentication system
CN104820814A (en) Second-generation ID card anti-counterfeiting verification system
Hosseini et al. Enhancement of security with the help of real time authentication and one time password in e-commerce transactions
Griffin Telebiometric authentication objects
CN110533417B (en) Digital asset management device, issuing method and system
EP3684004A1 (en) Offline interception-free interaction with a cryptocurrency network using a network-disabled device
ArunPrakash et al. Biometric encoding and biometric authentication (BEBA) protocol for secure cloud in m-commerce environment
KR20230004312A (en) System for authentication and identification of personal information using DID(Decentralized Identifiers) without collection of personal information and method thereof
US20240169350A1 (en) Securing transactions with a blockchain network
CN105072136B (en) A kind of equipment room safety certifying method and system based on virtual drive
WO2018122883A1 (en) Safety process/method for sending and exchanging a temporary enabled random code among at least three electronic devices for recharges, payments, accesses and/or ids of owners of a mobile device, such as a smartphone
KR101705293B1 (en) Authentication System and method without secretary Password
WO2018207079A1 (en) Method and system for universal access control management to an entity with inconsistent internet access
WO2019114813A1 (en) Biometric authentication system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191122

Termination date: 20200318

CF01 Termination of patent right due to non-payment of annual fee